mumms® PAS program uses SSH protocol 2 when supported by the client; otherwise SSH protocol 1 is used. A detailed explanation of each protocol follows. The symmetric part of the encryption uses at least a 128 bit key length.

mumms® CPC program uses https (http over ssl/tls). The symmetric part of the encryption uses at least a 128 bit key length.

How does SSH protocol version 1 work?

Each host has a host-specific RSA key (1024 bits) used to identify the host. Additionally, when the daemon starts, it generates a server RSA key (768 bits). This key is normally regenerated every hour if it has been used, and is never stored on disk.

Whenever a client connects the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. The client then generates a 256 bit random number. It encrypts this random number using both the host key and the server key, and sends the encrypted number to the server. Both sides then use this random number as a session key that is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher, Blowfish or 3DES, with 3DES being used by default. The client selects the encryption algorithm to use from those offered by the server.

Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using RSA challenge-response authentication, or password based authentication.

How does SSH protocol version 2 work?

Version 2 works similarly to Version 1. Each host has a host-specific DSA key used for identification. However, when the daemon starts, a server key is not generated. Forward security is provided through a Diffie-Hellman key agreement which results in a shared session key. The remainder of the session is encrypted using a symmetric cipher, Blowfish, 3DES or CAST128 in CBC mode or Arcfour. The client selects the encryption algorithm from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code (hmac-sha1 or hmac-md5).

Protocol version 2 provides a public key based user authentication method (DSA Authentication) and conventional password authentication.

What SSL/TSL modes does your httpd process allow?

DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1

AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1

EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1

DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1

KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1

RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

Please see http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9 for a discussion of this table.

What is the password policy?

Beginning Q2, 2005 password changes are required quarterly (soft limit 90 days, hard limit 105 days, lockout at 110 days). Passwords must be substantially different from the last password. Password reuse is safeguarded against the last 12 passwords. Passwords must meet minimum quality standards.

Presently the minimum password quality standard is nine points. Each character is worth one point. There is one extra point for the first instance of a number, lowercase letter, capitol letter or special character (for a maximum of four extra points). Absolute minimum password length is six characters.

Passwords cannot be based on “dictionary” words. There are checks against slang, English and jargon dictionaries and many proper names, but passwords should not be based on words that can be found in any word list.

How is data integrity insured? / How is HIPAA data kept secure?

mumms® PAS - Client administrators assign databases and roles for each user. The application enforces database and role based authorization, while the operating system handles identification and authentication of users.

mumms® CPC – mumms® personnel assign users to each site. Data from mumms® PAS identifies the users' disciplines. The CPC application only allows users assigned to a site to access to a site's data. The application enforces role-based authorization within the site based on user discipline(s). The web server handles identification and authentication of online users. Offline users are identified and authenticated by the client application.

With the "email this page" function, emails can only be sent to other CPC users. The email contains a link to the document which prompts the recipient to enter his/her CPC username and password to view the actual document.

What safeguards does mumms® recommend for hospices to maintain HIPAA compliance?

mumms® recommends that all hospices set up laptops and desktops with password entry into Windows as an additional level of security. Additionally, mumms® recommends that laptops and desktops be programmed to automatically log off after three minutes of non-use. Restrictions for software installation are also highly recommended.

Can mumms® assist with updating HIPAA policies during the implementation of electronic charting?

HIPAA regulations say that each employee should access only the minimum amount of protected health information. How does CPC comply with this regulation?